Articles › WordPress Security Tips

If you are reading this Wordpress security article you may have already fallen victim to a hacked or spammed website if you haven’t been a victim yet , you have either been very lucky or don’t realise your site has already been hacked. In this article we are only going to cover a couple of basic changes you can make to make life more difficult for hackers and advise on how to keep one step ahead of a potential threat.

How to improve WordPress Security

Please remember to back-up your database and files before attempting to make any major changes to your website security. If you are improving security after a attack you will need to change your WordPress Authentication Keys in your wp-config.php file.

Skill Level : Intermediate

1. Enable Automatic Updates Theme  / Plugins / Core (wp-config.php)

Make sure that all of your plugins and core version of WordPress are upto date , if you are using a purchased theme this needs to be updated also.

Open your wp-config.php file and add the following lines:


// Turn on Automatic Updates by BWD Group

define('WP_AUTO_UPDATE_CORE', true);
add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' );


To avoid possible WP-CLI conflicts it is recommended to only use add_filters in a custom plugin. WordPress has reserved the MU-PLUGIN to allow auto-loading of a plugin that cannot be disabled from the WP Dashboard.

2. Disable WordPress Theme and Plugin Editors (wp-config.php)

By default WordPress allows the Administrator to modify both themes and plugins from the dashboard , this should be be disabled to prevent someone from changing your source code to execute server commands or to inject malware.

Open your wp-config.php file and add the following line:


// Disable Wordpress Theme or Plugin Editor by BWD Group

define( 'DISALLOW_FILE_EDIT', true );


3. Disable PHP Execution for /wp-includes/ and /uploads/

To prevent custom PHP code from being executed within your WordPress directories create a .htaccess file into the /wp-includes/ and /uploads/ folders and add the following line.

<Files *.php>
deny from all

4. Change the default username (admin) to something different

A simple change to your default username could prevent a brute force password attack on your website , WordPress does not allow you to modify the default admin username from the dashboard but this can be done by downloading a plugin called admin renamer extender

Once changed you will be automatically logged out of WordPress.

5. Increasing Login Security (Limit Login Attempts)

We suggest that you should install the plug-in ‘ limit login attempts ‘ to prevent someone from performing a Brute Force attack on your WordPress installation.

If you are really paranoid you can always limit the access by IP address that is if you have a fixed IP.

6. Block IP Addresses from specific countries (IP2Location)

A high percentage of WordPress attacks originate from overseas and if you run a business in the UK you could lock out 99% of those foreign IP addresses.

For accurate and stable results we suggest that you pay for a updated IP database for just as little as $49.00 through IP2Location

* It is important to remember that if you need Google to crawl your website you will have to allow US based IP addresses to access your website.

7. Purchase a WordPress Security Suite (Wordfence or Securi)

It is almost impossible to make your website bullet-proof and with exploits and zero-day attacks a common occurrence for WordPress community its a good investment to purchase a premium security tool which will improve your chances of preventing a future attack.

We recommend both Sucuri and Wordfence for improving your website security , if your website has been hacked and you need a Malware clean up service and security audit please give us a call on 01204 235928